Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Recent change in Stock-Spam Tactics (PDF and excel)

Published: 2007-07-22
Last Updated: 2007-07-22 19:14:00 UTC
by Kevin Liston (Version: 1)
0 comment(s)

It started nearly a month ago, a shift from image-based spam to spams containing PDF files.

I'm sure that you've seen these in your mailbox, the shift over to PDF was effective in evading spam-filters.  You have also likely noted their shift in tactics from a simple text message in the PDF over to encoded images in the PDF (to foil pdf2text-like tools, I presume.)

I would have thought that this shift would have had an impact on the efficacy of the scheme.  "Certainly people won't open unsolicited PDF files," I thought.  Based on the number of submissions past month asking if these were PDF-exploit attempts I felt that this shift would have had some impact on the success of this type of scheme.

In January, I performed an unscientific experiment monitoring the impact of Pump and Dump schemes on the targeted companies.  My hypothesis was that Pump and Dump schemes have an overall negative impact on the company who's symbol was targeted.  I was unable to prove this hypothesis, the stock price quickly returns to normal three to four weeks after an event (in the population of stocks that I tracked in the first quarter of 2007, that is.)

This morning I did a bit of comparison with symbols identified in the few PDF files that I had left in my mailbox.  Looking at this small sample it seems that these schemes are just as effective in manipulating the stock price as text-only and image-based spam messages.

The consequence of this is that there exists a large population of people with a fair amount of assets in the stock market that willingly open up unsolicited PDF files.  This makes for a concerning scenario when a arbitrary-code-execution vulnerability is identified in popular PDF readers.

A reader submitted a report that they were receiving a large number of spam messages consisting of an Excel file.  Examination of this file showed that it contained a Pump and Dump message.  This could serve as an indicator of another shift if tactics.  The VERY interesting part is that the formatting of this Excel file is extremely similar to the first PDF version reported by Maarten.  This group appears to target German stock market.  I look forward to US penny-stock schemes to employ this technique shortly.  I'm similarly concerned about the number of people who will open unsolicited Excel files too.

Keywords:
0 comment(s)
Diary Archives